As the development of network technology, various network applications such as network games, electronic trading and social applications are indispensable. Currently, animations are widely used in these network applications, and flash animation (with the file name extension being .swf) provided by Adobe company is most widely used in these animations. The flash animation supports a powerful action script (AS) and thus supports rich functionalities for displaying web pages. However, some unsafe factors exist due to the powerful functionalities and the openness of the AS. Common security vulnerabilities include cross-site scripting (XSS) and cross-site flash (XSF).
Currently, common methods for detecting flash security vulnerability include a static analysis method and a dynamic analysis method. The static analysis method can be implemented in a semi-automatic manner or in an automatic manner.
In the semi-automatic manner, a key function is positioned by artificially reviewing source codes and whether parameters of the key function are externally controllable is checked, which takes a lot of time and human resources.
In the automatic manner, AS source codes are acquired by decompilation and matching is performed based on vulnerability code features to perform security detection. For example, a decompiled AS code segment is getURL (_root.gourl, _blank), the vulnerability can be found by searching for a key function getURL in the codes and determining whether a parameter is an external input _root.*. This solution can be realized automatically but has a limited detection capability since only a single line of codes are detected.